CCIE Security Advanced Technologies Class

Transcript

1	Introduction	0h 37m
2	CCIE Security Preparation Resources	0h 50m
3	ASA Overview	0h 37m
4	Basic ASA Initialization	1h 02m
5	ASA Routing	0h 37m
6	ASA Reliable Static Routing	0h 20m
7	ASA Access Control Lists (ACLs)	0h 41m
8	ASA Modular Policy Framework (MPF) Overview	0h 53m
9	ASA Modular Policy Framework (MPF) Configuration	0h 51m
10	ASA Advanced TCP Inspection with MPF	0h 40m
11	ASA Advanced Application Inspection with MPF	0h 36m
12	ASA Quality of Service (QoS)	0h 30m
13	ASA Network Address Translation (NAT) Part 1	0h 50m
14	ASA Network Address Translation (NAT) Part 2	0h 30m
15	ASA Transparent Firewall Overview	0h 25m
16	ASA Transparent Firewall Configuration	0h 43m
17	ASA ARP Inspection with Transparent Firewall	0h 21m
18	ASA Multiple Context Mode Overview	0h 42m
19	ASA Multiple Context Mode Configuration	0h 59m
20	ASA Redundant Interfaces	0h 22m
21	ASA Failover Overview	0h 19m
22	ASA Active/Standby Failover Routed Firewall Configuration	0h 29m
23	ASA Active/Standby Failover Transparent Firewall Configuration	0h 17m
24	ASA Active/Active Failover Routed Firewall Configuration	0h 37m
25	ASA Multiple Context Transparent Firewall Configuration	0h 29m
26	ASA Active/Active Failover Transparent Firewall Configuration	0h 29m
27	IOS Access Control Lists (ACLs)	0h 23m
28	IOS Time Based ACLs	0h 13m
29	IOS Lock & Key Security with Dynamic ACLs	0h 24m
30	IOS Reflexive ACLs	0h 44m
31	IOS TCP Intercept and Content Based Access Control (CBAC)	0h 39m
32	Zone Based Policy Firewall Overview	0h 26m
33	Zone Based Policy Firewall Configuration	0h 44m
34	ZBPF Self Zone & ZBPF Exceptions	0h 48m
35	Port to Application Mapping (PAM)	0h 32m
36	ZBPF Parameter Tuning	0h 32m
37	ZBPF Application Inspection	0h 27m
38	IOS Transparent Firewall	0h 28m
39	IPsec Overview	0h 37m
40	IOS IPsec LAN-to-LAN Configuration	0h 58m
41	IPsec Troubleshooting	0h 42m
42	GRE over IPsec, IPsec Profiles, & VTIs	0h 51m
43	ASA IPsec Overview	0h 24m
44	ASA IPsec LAN-to-LAN Configuration	0h 20m
45	Certificate Authority (CA) Overview	0h 16m
46	IOS & ASA LAN-to-LAN IPsec with Certificates	0h 57m
47	Easy VPN Overview	0h 12m
48	IOS Easy VPN Server	1h 10m
49	IOS Easy VPN Client	0h 30m
50	IOS Easy VPN with Dynamic VTIs, ISAKMP Profiles	0h 49m
51	ASA Easy VPN Server	0h 51m
52	ASA Easy VPN Server & IOS Easy VPN Client	0h 17m
53	ASA Clientless & AnyConnect SSL VPN	1h 04m
54	DMVPN	1h 05m
55	IPS Overview, Promiscuous Mode & SPAN	0h 43m
56	IPS Promiscuous Mode & RSPAN	0h 28m
57	IPS Blocking Devices & Custom Signatures	0h 50m
58	IPS Inline Mode, VLAN Pairing	0h 15m
59	IPS Virtual Sensors and Signature Engines	0h 16m
60	AAA Overview, Local AAA, & Role Based CLI	0h 51m
61	RADIUS, TACACS+, & Cisco Secure ACS Configuration	0h 51m
62	RADIUS & TACACS+ Exec Authorization & Accounting	0h 39m
63	TACACS+ Command Accounting	0h 30m
64	RADIUS & TACACS+ Enable Authentication	0h 14m
65	IOS Authentication Proxy	0h 33m
Total Duration		39h 19m

Base Configs

Diagrams

Slides - Introduction

Slides - ASA

Slides - IOS Firewall

Slides - VPN

Slides - IPS

Slides - Identity Management

0:00:13	In our next section we are going to talk about ipsec VPNs on the asa
0:00:18	as well as the specifics of the tunnel groups and the group policies
0:00:23	that are little bit different than we what we previously saw with the ios implementation of the ipsec vpns
0:00:31	now we will see that the configuration syntax and the configuration logic
0:00:34	of ipsec and the asa is going to be a mix between the ios
0:00:38	and the previous vpn
0:00:40	3000 concentrator
0:00:42	that the asa got a lot of its
0:00:44	underlying logic for with
0:00:46	the tunnel groups and the group policies
0:00:49	now we will see that
0:00:50	like the ios
0:00:52	the asa still does use isakmp
0:00:54	policies and it does use cryptomaps
0:00:57	which are going to be used to define our phase 1 and phase 2 parameters
0:01:00	for the majority of ipsec options
0:01:02	then we will have the tunnel groups and the group policies
0:01:06	that came from the vpn concentrator
0:01:08	that are going to be used to apply per
0:01:10	user attributes or per group attributes
0:01:13	for land to land tunnels for remote access tunnels
0:01:16	and also for the web vpn or ssl vpn tunnels
0:01:22	now just like an ios
0:01:24	we are going to define our phase 1
0:01:26	parameters with the isakmp policy
0:01:29	which is going to be things like the authentication the hash
0:01:33	whether they were using md5 or sha
0:01:35	is the encryption 1des 3des aes
0:01:39	whats the dh group
0:01:41	thats going to control
0:01:42	how large of a number that we are going to use to seed the
0:01:46	encryption and decryption keys
0:01:48	and just like an ios the isakmp policy
0:01:51	is going to be processed in a top down fashion
0:01:54	so similar to a route map
0:01:56	once a match occurs or once the match is true
0:01:59	we are going out of the policy
0:02:01	and we are not going to continue to look at the additional sequences after that
0:02:05	so if we wanted to prefer
0:02:07	the tunnels to use lets say aes
0:02:09	as its encryption mechanism
0:02:11	we would want to put that towards the top of the policy
0:02:14	but then for any peers that don't support aes
0:02:17	may they only support 3des
0:02:19	if its an older version the vpn client
0:02:21	then they would fall down to the subsequent policies
0:02:26	then additionally just like an ios we are going to use the crypto map to define our
0:02:30	phase 2 parameters
0:02:32	which we call are going to be 3 main options
0:02:35	first of which is who is the tunnel going to
0:02:38	and this is going to defined by the peer address
0:02:42	then what is actually going to go inside the tunnel
0:02:45	which is defined by the proxy identities or the proxy acl
0:02:49	and how is the traffic going to be treated
0:02:51	which is defined by the ipsec transform set
0:02:57	now the differences between the configuration asa and ios
0:03:02	are going to be the 2
0:03:03	parameters that are the tunnel group and the group policy
0:03:07	and the tunnel group is going to be similar in logic to how an isakmp profile
0:03:11	works in ios
0:03:13	where we have a general template
0:03:16	of phase 1 type parameters
0:03:18	that we going to apply on to one or more tunnels
0:03:21	depending on the individual criteria that we are defining
0:03:25	and matching based on their particular profile
0:03:27	or in the case of the asa based on the tunnel group
0:03:32	now the asa is going to do the matching
0:03:34	based on what is the end point of the tunnel
0:03:37	this could be either based on the ip address
0:03:40	could be based on the host name could be based on the certificate
0:03:44	so we have some flexibility depending on whether we are doing lan to lan vpns
0:03:48	or remote access vpns or ssl vpns
0:03:51	we have different type of parameters that we can match
0:03:54	and then map to an individual tunnel group
0:03:58	now once the tunnel group is found
0:04:00	and bound to an individual tunnel
0:04:02	what it is going to do is apply different types of settings
0:04:06	like the pre share key
0:04:08	for phase 1 authentication
0:04:10	or we were to do rsa signatures
0:04:13	we would be defining who is the particular certificate authority server or servers
0:04:17	that we were be using the certificate from
0:04:21	we could also define our aaa settings
0:04:23	like if we are using
0:04:25	an easy vpn client or we going on a
0:04:27	authenticate the user locally to our local day to day so we are going to go to our remote radius server
0:04:34	and then one of the most important points is what is the group policy
0:04:38	that is going to be tied to the tunnel group
0:04:42	so again 2 different portions the tunnel group
0:04:44	and the group policy
0:04:45	where tunnel group is like the isakmp profile
0:04:48	and the group policy
0:04:51	is going to be a set
0:04:52	of attribute value pairs or av pairs
0:04:55	for the specific ipsec tunnel
0:04:59	now for first examples we were going through the lan to lan configuration for the asa
0:05:04	the attribute which is most important about the group policy
0:05:07	is whether we are using
0:05:09	perfect forward secrecy or not
0:05:12	where previously in the ios implementation you would define this under the crypto map
0:05:16	but in the case of the asa this is going to defined under the group policy
0:05:21	now the vast majority of the other av pairs or the other attributes
0:05:25	that are called from the group policy
0:05:27	are going to be relating to remote access VPNs
0:05:31	so things like the split tunnel policy
0:05:34	where the same traffic goes over the ipsec tunnel and
0:05:37	other traffic does not based on the destination
0:05:41	any type of vpn filtering
0:05:42	if i wanted to say the users cannot use
0:05:46	port 80 over the
0:05:48	the ipsec tunnel or may be the
0:05:50	they can run applications like
0:05:51	irc for example
0:05:53	so any type of access list thats actually filtering the traffic inside the tunnel
0:05:58	which is different than the proxy acl
0:06:00	that is trying to direct
0:06:02	us to figure out what traffic is supposed to go into the tunnel
0:06:06	we can also define what are the
0:06:08	tunneling protocols that we can or cannot use
0:06:11	like are we allowed to do transparent tunneling over udp
0:06:15	are we allowed to use l2tp for remote access
0:06:18	are we allowed to use the web vpn or ssl vpn feature
0:06:23	this would be defined by the group policy
0:06:26	now lot of the other miscellaneous options like whats your dhcp server or port
0:06:31	whats your dns server your proxy server
0:06:34	any type of network
0:06:36	access control or we are going to get admission control
0:06:39	this type is going to be defined by the group policy
0:06:43	now we will see some different configuration examples where we do this locally
0:06:47	on the asa
0:06:48	and we can do it through radius
0:06:51	so when a particular user comes in lets say with the easy vpn client
0:06:55	and they authenticate we could send their username and password to radius
0:06:59	then radius can return
0:07:01	a dhcp address they can return a dns address
0:07:05	they could return a specific access list
0:07:07	that we are going to use for split tunneling or for vpn filtering
0:07:13	now again as i mention most of these are going to be used for the remote access VPNs
0:07:17	when we look at our first examples with the lan to lan vpn
0:07:21	the main one thats important is whether
0:07:23	the perfect forward secrecy is enabled or not
0:07:26	most of the other attributes that we need to define are going to be under the
0:07:29	the tunnel group not under the group policy
0:07:34	now syntax wise both for the tunnel group and the group policy
0:07:39	the syntax is generally too complex to memorise
0:07:42	so you really wouldn't be expected to know this type of configuration of the topic ahead
0:07:47	but there is 3 ways that we are going to look at
0:07:49	they help us build these
0:07:51	command line configs
0:07:54	now if we were to do this through the web interface like the asvn then we would need to know
0:07:58	really the specifics of the tunnel group or the group policy syntax
0:08:02	that were when we are doing it from the command line
0:08:04	there is a lot of mightier options
0:08:06	and it can be confusing to figure out
0:08:08	which parameter is going to the tunnel group which one is going to the group policy
0:08:12	so we are going to look at 3 different ways that we can
0:08:15	use the resources either through documentation
0:08:17	or from the command line itself
0:08:20	to be able to keys these configurations together
0:08:23	now the first of these is going to be the cisco documentation
0:08:27	so we need to know for the lan to lan VPNs
0:08:29	for the remote access
0:08:31	and for the web VPNs
0:08:32	where exactly are the configuration guides located
0:08:35	for the asas syntax
0:08:38	the next one from the command line itself we have a command that is known as vpn setup
0:08:44	and this is going to give us help with a basic template of configuration
0:08:48	whether we are using a lan to lan vpn configuration
0:08:51	or remote access or web vpn
0:08:54	its kind of like the configuration guide
0:08:57	where gives you a step by step list of what you need to do
0:09:00	but you can do that right on the command line as supposed to having to
0:09:03	after reference the external documentation
0:09:07	then the last one is we saw previously before when we were dealing with things like the
0:09:11	the modular policy framework modification
0:09:14	is the show run all command
0:09:17	this is going to be very useful for a ipsec configs on the asa
0:09:21	where we would saw either show run all tunnel group
0:09:24	or show run all per policy
0:09:26	which is going to show us the changes that we have made
0:09:29	to endure the ipsec configs
0:09:31	but also the defaults
0:09:33	for the lan to lan remote access tunnel groups
0:09:36	and then the default for the proof ???? policies
0:09:39	so next lets take a look at the documentation
0:09:43	so we can see how we can peace ??? together
0:09:45	both the tunnel group
0:09:47	syntax md ??? group policy configuration
0:09:49	both for the lan to lan VPNs
0:09:52	and with the remote access VPNs
0:09:55	so from the main documentation page we are going to go down to products
0:10:00	and to security
0:10:05	then to our
0:10:06	firewall firewall appliance
0:10:09	asa 5500
0:10:11	configuration guides
0:10:13	and then to our particular version which in this case is 8.0
0:10:20	section is going to be configuring vpn
0:10:23	then mainly this is going to be under configuring the tunnel groups
0:10:26	the group policies and the users
0:10:29	now this is going to show us the individual attributes that we would put under the tunnel group or the group policy
0:10:34	or the per user options
0:10:36	again we would get into more details with this when we get into the remote access VPNs
0:10:41	but just for the basic configuration
0:10:44	if you look at
0:10:45	like the configuring lan to lan VPNs
0:10:49	you will see that in the beginning of the asa documentation
0:10:53	they have this section that is the general summary
0:10:55	of what you need to do in order to accomplish this particular configuration
0:11:00	so its kind of nice because they put
0:11:02	essentially the configuration example first
0:11:05	where within the scope of the lab exam or whether you are just trying to
0:11:09	to build the basic configuration
0:11:12	in production
0:11:13	you can use this kind of quick reference to say
0:11:16	well i know that i need my basic phase 1 policy information
0:11:20	i know that i need to know whats the
0:11:22	the transform set for phase 2
0:11:25	which is going to define how the traffic is treated
0:11:28	i need the proxy access list
0:11:30	thats going to determine what traffic goes into the tunnel
0:11:34	then i have my tunnel group
0:11:36	which for lan to lan is mainly going to be used to define the pre shared key
0:11:41	then i am going to tie this together with the crypto map
0:11:44	whether crypto map is following the proxy acl
0:11:47	defining the peer address
0:11:48	defining the transform set
0:11:50	and then finally apply it onto the interface
0:11:55	now likewise when you look at the remote access VPNs
0:11:59	if we were to say remote access vpn or easy vpn
0:12:03	to look at the easy vpn client
0:12:05	you will see likewise it has the summary at the configuration here
0:12:10	where with the remote access VPNs
0:12:13	we will see there is more work it goes on under the tunnel group
0:12:17	where we would define things like whats the
0:12:20	the dhcp address that we are going to allocate to the user
0:12:23	we could also define
0:12:25	the individual policy options
0:12:28	where we will see if we are not referencing an individual policy
0:12:32	its going to fall back to a default one
0:12:35	that we can see when we look at the show run all tunnel group
0:12:40	so again when we go to these individual examples with lan to lan and to remote access
0:12:45	we will come back to the documentation in more detail
0:12:48	but the key is that you can pretty much use some of the examples that they are showing here
0:12:52	under the configuring vpn section
0:12:54	and then change the syntax around in order to meet whatever your particular needs are
0:13:00	now from the command line point of view
0:13:03	if we were to go to the asa here
0:13:06	and in a global configuration
0:13:08	issue the vpn setup command
0:13:12	it says there is 4 different options we have either remote access
0:13:16	l2tp remote access
0:13:18	ssl vpn remote access
0:13:20	and then the site to site or the lan to lan VPNs
0:13:25	so if we were to say
0:13:26	vpn setup site to site
0:13:28	and i want to know what are the individual steps that i need to go through
0:13:32	similar to the configuration guide its going to show you the
0:13:35	final result of the syntax
0:13:37	and then you can take this as an example
0:13:40	and keys ???? it together in order to match whatever your particular requirements are
0:13:46	so its the same logic that we use in the ios configuration
0:13:50	where first we need to define our
0:13:52	phase 1 policy
0:13:55	that is things like the authentication
0:13:57	the encryption the hash
0:13:59	the dh group
0:14:00	and also if we wanted to define the
0:14:03	the security association lifetime for phase 1
0:14:07	then we have the phase 2 transform set
0:14:11	which again is defining how the traffic is going to be treated
0:14:15	the access list is going to say what traffic goes into the tunnel
0:14:19	we have the pre-share key
0:14:22	which is then reference from the tunnel group
0:14:25	this is tied together from the crypto map
0:14:28	crypto map is applied on the interface
0:14:30	and then lastly isakmp is enabled on the interface
0:14:35	where in the case of the ios there is very last that you don't need to do
0:14:39	because isakmp is automatically enabled when you bind the
0:14:42	crypto map to the interface in ios
0:14:45	but on the asa you need to do both of them you need to assign the crypto map to the interface
0:14:49	and you also need to define
0:14:52	or enable i should say you need to enable
0:14:54	isakmp on that interface as well
0:14:58	now the last option
0:15:01	again is going to be the show run all command
0:15:04	where the documentation does show us the
0:15:07	the basic example
0:15:09	of piece ?? together
0:15:10	as this is the vpn setup command
0:15:13	but it really doesn't show us all the individual options of what we can do with the crypto maps
0:15:17	with the tunnel group and with the group policy
0:15:20	so if we were to look at the show run
0:15:22	all crypto
0:15:24	this is going to show us some of the defaults
0:15:26	that the asa has like whats the
0:15:29	the phase 2 lifetime
0:15:31	security association lifetime values
0:15:34	we have this in a
0:15:35	a time value in seconds
0:15:37	we also have it in kilobytes
0:15:40	the replay window size
0:15:43	would control the
0:15:46	receiving duplicate packets
0:15:48	which is the entire replay
0:15:50	feature of ipsec
0:15:52	we also have options for fragmentation
0:15:55	it says the don't fragment bit should be copied from whatever the settings are between the interfaces
0:16:02	and then the
0:16:03	the isakmp NAT reversal
0:16:06	feature is on automatically
0:16:09	so we will come back to look at some examples both of ios
0:16:12	and with the asa
0:16:14	when the endpoints
0:16:16	of the vpn tunnel are behind network address translation
0:16:19	whether thats going to be a potential issue
0:16:21	if we were allowed to tunnel the traffic over udp
0:16:24	or tunnel it over tcp
0:16:26	or do a direct one to one mapping of esp
0:16:33	so this one here is going to help us out to show run all crypto
0:16:36	we can also look at the
0:16:37	the show run all crypto map
0:16:42	which right now we don't have any crypto maps configured so its not going to show anything
0:16:46	but the other 2 that are useful are the show run all
0:16:49	tunnel group
0:16:52	which here it we can see it shows us the default
0:16:56	lan to lan group options
0:16:59	the default remote access group options
0:17:03	then
0:17:04	within these individual default groups
0:17:07	there is separate type of sub attributes like we have ppp
0:17:10	attributes ipsec attributes
0:17:13	web vpn attributes
0:17:15	most of these are going to be for the different remote access groups
0:17:19	for the lan to lan tunnels
0:17:22	it says that the default
0:17:24	group policy
0:17:26	excuse me the default lan to lan group
0:17:30	is an ipsec lan to lan tunnel
0:17:32	it is calling the default group policy
0:17:36	which has the name of the default group policy
0:17:40	so then if we were to correlate this with the
0:17:42	the show run all group - policy
0:17:47	says we have the default group policy
0:17:49	which is defining things like the message of the day banner
0:17:54	when you connect with your vpn client
0:17:56	whats the the win server the dns server
0:18:00	whether perfect for a secrecy
0:18:02	is on or off
0:18:04	whether transparent tunneling is enabled
0:18:07	whats the split tunneling policy
0:18:09	but you can see a lot of this stuff is self explanatory
0:18:12	but the problem is that there is so many different pieces of syntax here
0:18:16	it would be very difficult to try to memorise all of these
0:18:20	and even from trying to reference this from the documentation
0:18:23	might take you quiet a bit of time
0:18:25	to locate the individual
0:18:27	command or the individual option that you are trying to change
0:18:31	so using this out put to show run all
0:18:33	group policy and the show run all tunnel group
0:18:36	is going to cut down on the amount of time
0:18:38	that you need to piece all of these configurations together
0:18:45	now once the tunnel group and the group policy are actually defined
0:18:49	then we need to determine
0:18:51	when we are initiating
0:18:53	a tunnel or when we are receiving a tunnel
0:18:56	how do we actually know which particular tunnel group that the asa is supposed to use
0:19:01	and this is going to be based on the name
0:19:04	of the tunnel group
0:19:06	now we will see there are cases where we can name the tunnel an ip address
0:19:11	we can give it a
0:19:12	a string a name
0:19:15	depending on whether this is going to be a lan to lan or remote access tunnel
0:19:19	but
0:19:20	the tunnel group name
0:19:22	is then going to be matched against the
0:19:25	the ike identifier
0:19:27	which is exchanged during our phase 1 isakmp negotiation
0:19:31	so for example if we were doing aggressive mode
0:19:34	for phase 1
0:19:36	that the tunnel group name is going to matched against the host name
0:19:39	thats in the ike packet
0:19:42	now if we were using certificate authority to use or say signatures or digital signatures
0:19:48	then we are going to look at the organisational unit or the OU field
0:19:53	from the common name
0:19:55	so it is going to be significant when we look at the actual signature
0:20:00	or the actual certificate
0:20:01	that is issued to a vpn client
0:20:04	or is issued to
0:20:05	an ios router or to another asa
0:20:08	when we were matching this against the tunnel group
0:20:11	we need to make sure that we have the right field
0:20:13	in the certificate matching against our actual tunnel group name
0:20:19	now we will also see in certain cases the ike the identifier
0:20:23	may not have a specific string
0:20:25	like the host name or the digital signatures
0:20:29	and may be this is going to be to
0:20:31	to the fact that we are running main mode in phase 1
0:20:35	so we talked about the difference between
0:20:37	main mode and aggressive mode
0:20:39	where in main mode
0:20:41	the identities of the peers are not established
0:20:45	until the phase 1 isakmp asa is actually
0:20:47	brought up
0:20:49	whereas in an aggressive mode we are sending the ike proposal
0:20:53	plus we are sending the identification
0:20:55	right at the first step
0:20:58	but the point here is that in main mode since we don't establish the identity since after the tunnel is up
0:21:03	we can use the ike identifier
0:21:06	to figure out what is the particular tunnel group
0:21:08	and in this case this is where we are going to use the ip address
0:21:13	so for a basic lan to lan configuration
0:21:17	of asa to asa
0:21:19	or asa to ios
0:21:20	the tunnel group name
0:21:23	should match teh peer address
0:21:25	that we are matching in the crypto map
0:21:29	so we will take a look at some of examples here we are configuring
0:21:32	a tunnel from asa to
0:21:35	to router 3
0:21:37	where asa 2 is going to say that the tunnel group's name
0:21:41	is the address
0:21:43	that router 3 is listening for the tunnel or router 3 is initiating the tunnel from
0:21:49	if router 3 resourcing the tunnel from its loop back address
0:21:52	thats what the tunnel group name would be
0:21:56	so essentially whatever address that we have set
0:21:58	the peer as inside of the crypto map
0:22:00	that needs to match what the tunnel group
0:22:03	name is
0:22:06	now the actual mapping process can be changed
0:22:10	there is a couple of commands on the asa that are going to control this
0:22:13	which are the tunnel-group-map enable
0:22:18	we can use the organisational unit inside of the
0:22:21	the digital signature
0:22:23	we can use the ike identifier we can use the peer address
0:22:27	and by default all 3 of these are enabled
0:22:31	now if for some reason we cannot match
0:22:34	any of the names
0:22:36	then we are going to fall back to the default
0:22:38	tunnel group
0:22:40	which is set to the default ra group
0:22:44	automatically
0:22:46	so essentially what this means is that if we were configuring a lan to lan tunnel
0:22:51	but for some reason
0:22:53	we could not map the peer address
0:22:56	or the signature for the particular tunnel
0:22:59	it means that its going to fall back to the default remote access group
0:23:02	which is probably not what we are trying to accomplish
0:23:06	so when we look at the configuration here we look at some
0:23:10	correct configurations
0:23:11	and then some incorrect configurations
0:23:14	look through the debugs and the show commands
0:23:16	to figure out is the tunnel group properly being mapped
0:23:19	or is it falling over to an incorrect group or falling over to
0:23:23	on the default remote access group
0:23:27	now you can technically change this if you say the tunnel group mapped default group
0:23:31	we can specify the name
0:23:33	and you could see these options if you look at the show run all tunnel group map command
0:23:40	so if we were to look at the command line here
0:23:42	and say show run all tunnel - group - map
0:23:47	it says that automatically
0:23:50	the default group that you will fall back to is the last resort is the default ra group
0:23:56	and you are going to try to match either based on the organisational unit the ike identifier or the peer address
0:24:04	then for advanced configurations with certificates
0:24:07	there is an option where we can configure these tunnel
0:24:10	map rules
0:24:12	that based on the particular signature
0:24:15	or certificate they were trying to use
0:24:17	we can manually map it to a particular tunnel group

Now Viewing

CCIE Security Advanced Technologies Class
Title:	CCIE Security Advanced Technologies Class
Duration:	39h 19m
The CCIE Security Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Security lab will be described in detail using an instructor led hands on demonstration. The class consists of over 40 hours of in depth explanations and examples.
Get instant access to our entire library!
$159/month	Add to Cart
Download this Course
$299.00	Add to Cart

ASA IPsec Overview

Create Bookmark